I Scanned a QR Code and It Asked for My Credit Card — What to Do Right Now
You scanned a QR code and a payment page appeared asking for your credit card number. Whether you entered your details or just saw the form, the steps you need to take depend on one thing: did you submit your card information? Read the section that applies to you.
If you saw the form but did not enter your card number
You are not at financial risk. Scammers cannot steal payment details you never typed. The page may have loaded tracking scripts that captured your IP address or device fingerprint, but those are not emergencies.
Do these three things now:
- Close the page immediately and do not return to the URL or share it with anyone.
- Clear your browser cache and cookies for that site. On most phones: go to browser settings → Privacy → Clear browsing data and choose cookies and cached images.
- Report the URL. Forward the web address to the Anti-Phishing Working Group at reportphishing@apwg.org and report it at ReportFraud.ftc.gov. This helps get the fake page taken down before it catches someone else.
That is all you need to do. Monitor your existing accounts for a few days as a precaution, but no card action is required.
If you entered your credit card number
Act immediately. Scammers who run fake payment pages either use captured card numbers within hours or sell them to other fraudsters within days. Every minute matters.
- Call the number on the back of your card right now. Tell the representative you entered your card details on a website you believe was fraudulent. Ask them to cancel the current card and issue a replacement — not just freeze it, but issue a brand-new card with a new number. Any charge the scammer attempts after cancellation will be automatically declined.
- Check your transaction history immediately. Log in to your card account or app and look for any charges you do not recognize. Dispute any unauthorized transactions directly with your issuer — most issuers have zero-liability fraud protection for unauthorized charges.
- Review what else you entered. Many fake payment pages also ask for your billing address, email, full name, and sometimes a phone number. If you provided these alongside your card number, expect follow-up phishing — calls or texts using your real details to seem credible. Be skeptical of any contact claiming to be your bank or card issuer in the coming weeks; always hang up and call the number on the back of your card to verify.
- Check if the page asked for your card's CVV and expiry. If you entered all three (card number, expiry, and CVV), the scammer has everything needed to make card-not-present purchases online. This makes cancellation even more urgent.
- Place a fraud alert with the credit bureaus if the form also asked for your date of birth, Social Security number, or address. A fraud alert is free, lasts one year, and requires lenders to verify your identity before extending new credit.
- Report the scam. File a report at ReportFraud.ftc.gov and, if any money was actually charged, report it to your state's attorney general as well. The FTC report creates an official record that can help with disputes.
How fake payment QR codes work
A QR code hides its destination URL until after you scan. Scammers use this to direct you to a lookalike payment page before you have a chance to evaluate whether the source is trustworthy. The most common setups include:
Parking meter sticker scams
A fraudulent sticker with a QR code is placed directly over the legitimate payment code on a parking kiosk or meter. The fake page mimics the city or lot operator's payment interface closely enough that many drivers enter their card before noticing the URL is wrong.
Fake delivery-fee pages
A text, email, or physical flyer claims your package is held and requires a small customs or redelivery fee — usually $1 to $5. The low amount lowers suspicion. The QR code leads to a page that collects the card number for the “fee” but actually stores all entered details.
Tampered restaurant or venue payment codes
A QR code sticker is placed over the legitimate table-tent or counter code at a restaurant, bar, or event venue. The fake checkout page looks similar to the real one but routes payment to the attacker.
EV charger and gas pump codes
Sticker QR codes placed over legitimate ChargePoint, Blink, or gas pump payment codes redirect drivers to fake payment portals. The outdoor, unattended setting makes tampering easy and slow to detect.
In every case, the red flag is a payment form you reached by scanning an unverified QR code — not by navigating to a service you initiated yourself. For more detail on what attackers do with captured cards, see how QR code credit card scams work.
How to spot a fake payment page before you enter anything
- Check the URL before you type anything. Read the domain — the part just before the first single slash. A real city parking page ends in .gov or a recognizable city domain. A real delivery service uses its official domain. Generic domains like “pay-now-delivery.com” or “parking-fee-portal.info” are red flags.
- Look for HTTPS but do not rely on it alone. The padlock icon means the connection is encrypted — it does not mean the site is legitimate. Scam sites routinely use HTTPS.
- Question the urgency. “Pay within 24 hours to avoid a fine” or “your package will be returned if you do not pay now” are pressure tactics. Legitimate services do not threaten immediate consequences from a QR code.
- Check whether the QR code is a sticker. Lift the edge gently. If there is an original code underneath, the sticker is fraudulent. Walk away and pay by another method.
- Compare the page to what you would expect. If you scanned a parking meter code but the page does not show the meter number or location you are standing at, it is likely fake.
Frequently asked questions
Is it a scam if a QR code takes me to a page asking for my credit card?
Almost certainly yes. Legitimate payment flows — parking, delivery, venue ordering — are initiated through official apps or branded websites, not anonymous QR codes on stickers or flyers. If the URL is unfamiliar and you did not start a transaction on a known platform, treat the page as fraudulent and close it without entering anything.
I entered my card number — what should I do first?
Call the number on the back of your card immediately and report potential fraud. Ask the issuer to cancel the current card and issue a new one — this stops any charges the scammer attempts from going through. Then check your transaction history for any unauthorized charges and dispute them. Every hour you wait gives scammers more time to use or sell your details.
I saw the form but did not enter anything — am I safe?
Yes. Simply loading the page cannot expose your card details — scammers can only steal what you type. Close the browser, clear the site's cookies and cache, and report the URL to the FTC. No card action is needed.
What are the most common scenarios where fake QR codes ask for credit card details?
The most frequently reported cases are parking meter sticker scams, fake delivery-fee pages claiming a small customs or redelivery charge, tampered restaurant or venue payment codes, and fake EV charger or gas pump payment codes. In each case a fraudulent sticker QR code is placed over a legitimate one, and the fake checkout page closely mimics the real service.
See where a QR code goes before any payment page loads
QRsafer checks the destination URL against threat intelligence databases and returns a Safe, Risky, or Dangerous verdict before your browser opens the page — so you never end up staring at a fake checkout form again.